Gareth Cattermole/Getty Images
- A new scam is targeting people by disguising itself as a Spotify email asking you to verify your subscription information after being charged for a year's subscription of Spotify's Premium streaming service.
- Potential victims aren't charged for Spotify's Premium service, but may click the link in the email because they're surprised to receive the email.
- The link leads you to a fake Apple ID login site that expects you to use your Apple ID credentials.
- Once you try to log in, your Apple ID credentials are likely sent to the scammers.
A new phishing scam is targeting people by using a fake Spotify email in order to get you to hand over your Apple ID.
The email contains the fake confirmation of a year's subscription to Spotify's Premium streaming service — it's likely intended to prey on your surprise that you may have been erroneously charged. The email prompts victims to click a link to cancel or "review your subscription."
It's a scam to get your Apple ID credentials, and it was caught by a cautious Reddit user. Once the scammers have your Apple ID credentials, they could have access to personal information, photos in iCloud, and the location of your Apple devices. They could even potentially make purchases without your immediate knowledge.
This scam is likely taking advantage of recent changes made to Spotify subscription payments. Spotify users used to have the option to pay for their Spotify Premium account via their Apple ID, but that's no longer the case as of August 6, 2018. Spotify is now requiring its Premium subscribers to switch to Spotify's own payment system.
Red flags that it's fake
While it's an easy scam to fall for, there are ways to check if it's illegitimate. Check out the email below:
For one, there's a grammar mistake in the email's text where it says "You are in charged for your subscription."
The other red flag is that the subscription email is from Spotify, yet the payment system being referenced here is your Apple ID. If there were any changes or charges made to your Spotify account using your Apple ID, the subscription confirmation email would come from Apple rather than Spotify.
Unfortunately, the screenshot taken by the Redditor doesn't show the sender's email address, which would likely also raise eyebrows. It might bear similarities to an official Spotify email address, but scam emails usually have some telltale signs that they're illegitimate, like random letters and numbers in the sender's email address.
If you click on the link in the email, it leads you to a convincing-yet-fake Apple ID sign-in screen, where you're expected to enter your Apple ID credentials. Once you hit "Next," the information is likely sent directly to the those responsible behind the phishing scam.
Above, there's a clear sign that this Apple ID login screen is fake. The website's URL in the browser bar starts off looking legitimate enough, with the words "myappleid-confirmcancellation," but the following words, "aijcbtgroup...," would never be associated with an official Apple website.
If it were real, the site's URL address would also be green on Apple's iOS devices, indicating that it's a secure site with "HTTPS" certification. On computers, you should also check if it has the "https" letters at the very beginning of the URL address, as shown below:
Apple does have some protective measures in place — like asking you to to verify a login with numbers sent to your other Apple devices or to your email address — so scammers may not get very far unless they have access to your other Apple devices or email address. Still, it's better to be careful.
If you think you did fall victim to this phishing scam, your next move is to change your Apple ID password right away.
NOW WATCH: Everything wrong with the iPhone
- DELETE YOUR ACCOUNT: How to wipe your personal information from Facebook, Amazon, Google, and other major websites and apps
- This $500 device wants to make it easy for you to ditch your Google or Yahoo email account and run your own, private email server
- Apple is distancing itself again from Google and Facebook with a new privacy website